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Abstract. We provide conditions under which the set of Rijndael-like functions considered 
as permutations of the state space and based on operations of the finite field GF(p'^) (p > 2) 
is not closed under functional composition. These conditions justify using a sequential 
multiple encryption to strengthen generalized Rijndael like ciphers. In [39] . R. Sparr and R. 
Wernsdorf provided conditions under which the group generated by the Rijndael-like round 
functions based on operations of the finite field GF(2'^) is equal to the alternating group on 
the state space. In this paper we provide conditions under which the group generated by 
the Rijndael-like round functions based on operations of the finite field GF{p'') [p > 2) is 
equal to the symmetric group or the alternating group on the state space. 



1. Introduction 

An 5P-network is an iterated block cipher. This means that a certain sequence of com- 
putations, constituting a round, is repeated a specified number of times. The computations 
in each round are defined as a composition of specific functions (substitutions and permu- 
tations) in a way that achieves Shannon's principle [3S] of confusion and diffusion. The 
Rijndael block cipher ([H], [IS]) is an example of an iSP- network. Rijndael is a block cipher 
with both a variable block length and a variable key length. The versions for the block size of 
128 bits and key length of 128, 192, and 256 bits were adopted by the NIST as the Advanced 
Encryption Standard [AES) [33]. Rijndael has a highly algebraic structure. The cipher round 
transformations are based on operations of the finite field GF(2^). While little research has 
been done about the structural and algebraic properties of Rijndael before it was adopted 
as a standard, there has been much research since. Several alternative representations of the 
AES have been proposed (see, e.g, [2], [S] and [27]) and some group theoretic properties of 
the AES components have been discovered (see, e.g, [TT], [52], [3H] and [S]). 

A motivation for investigating the group theoretic structure of a block cipher is to identify 
and exclude undesirable properties . One such undesirable property is short cycles of the 
round functions when considered as permutations of the state space. Another undesirable 
property is non-trivial factor groups of the group generated by the round functions of the 
cipher. For example, in [35] it was shown that if the group generated by the round functions 
of a block cipher is imprimitive then this might lead to the design of trapdoors. Some related 
results about the cycle structure of the AES round functions are given in [27] and 



2010 Mathematics Subject Classification. 20B05 , 2GB30, 94A60, 11T71, 14G50. 

Key words and phrases. Rijndael cipher, Finite fields. Symmetric groups. Group operation, Imprimitivity. 
Supported by National Science Foundation grant DMS 1062857. 
§ Gorresponding Author: liljanababinkostova@boisestate.edu. 

1 



Knowing the order of the group generated by the round functions is also an important 
algebraic question about the security of the cipher, because of its connection to the Markov 
cipher approach to differential crypt analysis. In [23] it was shown that if the one-round 
functions of an s-round iterated cipher generate the alternating or the symmetric group, then 
for all corresponding Markov ciphers the chains of differences are irreducible and aperiodic. 
This means that after sufficiently many rounds of the cipher all differences become equally 
probable which makes the cipher secure against a differential cryptanalysis attack. In [H], R. 
Wernsdorf showed that the round functions of Rijndael over GF(2®) generate the alternating 
group. In [39], R. Sparr and R. Wernsdorf provided conditions under which the group 
generated by the Rijndael-like round functions which are based on operations on the finite 
field GF(2''") is equal to the alternating group on the state space. Motivated by their work 
we embark on a formal study of the Rijndael-like functions to determine the extent to which 
this and other results in [JT] hold when we consider an arbitrary finite field. In this paper 
we provide conditions under which the group generated by the Rijndael-like round functions 
which are based on operations on the finite field GF{p'') [p > 2) is equal to the symmetric 
group or the alternating group on the state space. 

Since the adoption of AES as a standard many papers have been published on the crypt- 
analysis on this cryptosystem. Initially AES survived several cryptanalytic efforts. The 
situation started to change in 2009 when [1] and [5] presented a key recovery attack on the 
full versions of AES-256 and AES-192. Since then there have been several other theoretical 
attacks on these versions of AES and AES-128 (see, e.g. [7]) as well as on reduced- round 
instances of these versions of AES (see, e.g. [2T]). However, in [0] the authors presented a key 
recovery attack on version of AES-256 with up to 10 rounds that is of practical complexity. 

Theoretical attacks against widely used crypto algorithms often get better over time. 
The crucial question is how far AES is from becoming practically insecure. One way of 
strengthening AES is through using sequential multiple encryption, as it has been done with 
DES (see, [26], [12] and [M])- If the set of Rijndael round functions is closed under functional 
composition, then multiple encryption would be equivalent to a single encryption, and so 
strengthening AES through multiple encryption would not be possible. Thus, it is important 
to know whether this set is closed under functional composition. Also, it is important to 
know how changing the underlying finite field in AES will impact this property. In this 
paper we provide conditions under which the set of Rijndael-like functions considered as 
permutations of the state space and based on operations of the finite field GF{p^) [p > 2) is 
not closed under functional composition. 

The idea of examining block ciphers using different binary operations in their underlying 
structure has already been considered. For example, E. Biham and A. Shamir [3] examined 
the security of DES against their differential attack when some of the exclusive-or operations 
in DES are replaced with addition modulo 2". In [36] the authors initiated a study of Luby- 
Rackoff ciphers when the bitwise exclusive-or operation in the underlying Feistel network is 
replaced by a binary operation in an arbitrary finite group. They showed that in certain cases 
these ciphers are completely secure against adaptive chosen plaintext and ciphertext attacks 
and has better time and space complexity if considered over GF{p) for p > 2. Although, the 
study of the 5P-network based ciphers over GF(2'') has already been considered (see, e.g. 
[H]) we are not aware of such study when the underlying operations are the field operations 
in GF(p'') for p > 2. 
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The paper is organized as follows. In Section 2 we give some background from the theory 
of permutation groups and finite fields as well as block ciphers. In Section 3 we introduce 
the generalized Rijndael-like SV network and provide conditions for the parity and the cycle 
structure of the round functions of such a network when considered as permutations on 
the state space. Furthermore, we show when the set of round functions in the generalized 
Rijndael-like SV network of s-rounds do not constitute a group under functional composition. 
In Section 4 we derive conditions for Rijndael-like round functions such that the group 
generated by these functions is equal to the alternating group or the symmetric group on 
the state space. In Section 5 we conclude the paper. 

2. Preliminaries 

2.1. Iterated block ciphers. A crypto system is an ordered 4-tuple (A^, C, /C, T) where 
A^, C, and /C are called the message{state) space, the ciphertext space, and the key space 
respectively, and where TiA^x/C^-Cisa transformation such that for each k & )C, 
the mapping et '■ Ai C, called an encryption transformation, is invertible. For any 
cryptosystem 11 = (A^, C, JC, T), let 7n = {^k : A; G /C} be the set of all encryption 
transformations. In addition, for any transformation efc G 7n, let e^"^ denote the inverse of 
efc. In a cryptosystem where A4. = C the mapping is a permutation of M.. We consider 
only cryptosystems for which Ai = C. The set of all permutations of the set M. is denoted by 
Sm- Under the operation of functional composition Sm forms a group called the symmetric 
group over M.. The symbol Q = (7n) denotes the subgroup of Sm that is generated by the 
set Tn. The group Q is known as the group generated by a cipher. If Tn = ^, that is the set of 
permutations Tn forms a group, then we say the cipher is a group. As Q is finite by Theorem 
3.3 from [22] the cipher is a group if and only if its set of encryption transformations Tn is 
a closed under functional composition. For such a cipher, multiple encryption doesn't offer 
better security than single encryption. Computing the group Q generated by a cipher is 
often difficult. Let T[k] denote the round function of the cipher under the key G /C, where 
/C denotes the set of all round keys. Let r = {T[/c]|/c G /C} be the set of all round functions. 
The round functions T[k] are also permutations of the message space A4 and it is often easier 
to compute the group Qr = {{T[k]\k G /C}) generated by these permutations. Suppose we 
have an s-round cipher with a key schedule KS : /C — )■ AT** so that any key /c G /C produces 
a set of subkeys ki E JC, 1 < i < s. It is natural then to consider the following three groups 
relevant to the block cipher: 

Qr = {T[k]\k G /C) 
g', = {T[k,]T[ks-i]---T[ki]\he)C) 
g = {T[ks]T[ks^,] ■ ■ ■ T[k,]\KSik) = (k,,k2,--- , K)) 

Thus Qr is the group generated by the round functions and is the group generated by 
the set of all compositions of s (independently chosen) round functions. The group Q is the 
group generated by the set of all compositions of s round functions using the key schedule 
KS. This group can also be regarded as the group (7n) generated by the cipher Tn. It is 
obvious that ^ is a subgroup of which is a subgroup of Qr- We will show that is in 
fact a normal subgroup of Qr- 

Lemma 1. For every s is a normal subgroup of Gr- 
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Proof. Let Tk G and T, o ■ ■ ■ o Ti G We see that 

Tfc o (T^ o ■ ■ ■ o Ti) o T^^ = TkO {TsO ■ ■ ■ o Ti) o ( T/, o Tfc o ■ ■ ■ o Tk) o 

s— 1 copies 

V ' 

s— 1 copies 

= (Tfc o Ts o ■ ■ • o T2) o (Ti o Tfc o Tfc o ■ ■ • o Tfc ) 

s— 1 copies 

o(TfcoTfcO---oTfc)"^ 

^ V ^ 

s copies 

It follows that Tk o (Ts o • • ■ o Ti) o g G^. This completes the proof. □ 

Thus the group Gr generated by the round functions is an upper bound for the group 
generated by the cipher. 

2.2. Group theoretical background. In this section we present some background from 
the theory of permutation groups and finite fields which are used in this paper. 

2.2.1. Permutation groups. For a finite set X, let \X\ denote the number of elements of 
X. For any nonempty finite set X with |X| = n, the set of all bijective mappings of X to 
itself is denoted by Sn and is called the symmetric group on X. A permutation g E Sn is 
a transposition if g interchanges two elements x,y E X and fixes all the other elements of 
X\{x, y}. A permutation G iS„ is called an odd (even) permutation if g can be represented 
as a composition of an odd (even) number of transposition^. 

The set of all even permutations is a group under functional composition and is called 
the alternating group on X. The symbol An denotes the alternating group on a set X with 
|X| = n. The degree of a permutation group G over a finite set X is the number of elements 
in X that are moved by at least one permutation g & G. 

Theorem 2. For n > 5, the alternating group An is a simple group. 

For any subgroup G < Sn, for any x E X, the set orbcix) = {0(x) : G G} is called the 
orbit of X under G. The set stabcix) = {0 G G : = x} is called the stabilizer of x in 
G. We will make use of the following well-known theorem, often called the Orbit-Stabilizer 
Theorem. 

Theorem 3. Let G be a finite group of permutations of a set X . Then for any x E X , 

\G\ = \orbG{x) \ ■ \stabG{x)\ 

Let /, n denote natural numbers such that < / < n. A group G < iS„ is called l-transitive 
if, for any pair (ai, 02, ... , ai) and (61, 62, • • • , bi) with Oj 7^ aj, bi 7^ bj for i 7^ j, there is a 
permutation g E G with g{ai) = bi for all i E {1, 2, . . . , /}. A l-transitive permutation group 
is called transitive. 

A subset i? C X is called a block of G if for each g E G either g{B) = B 01 g{B) r\B = 
A block B is said to be trivial ii B E {0, X} or B = {x} where x E X. The group G < iS„ is 
called imprimitive if there is a non-trivial block i? C X of G; otherwise G is called primitive. 



Note that in this terminology a eycle of even length is an odd permutation, while a cycle of odd length is 
an even permutation. 
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We use the following result from [l2] which provides sufficient conditions for a permutation 
group to be the alternating or the symmetric group. 

Lemma 4. Suppose G is a primitive permutation group of degree n on a finite set X . If 
G contains a cycle of length m with 2 < m < {n — m)\, then G is the alternating or the 
symmetric group on X . 

2.2.2. Finite fields. A structure (F, +, ■) is a field if and only if both (F, +) is an Abelian 
group with identity element 0^ and (F \ {0^}, ■) is an Abelian groups and the law of dis- 
tributivity of ■ over + applies. If the number of elements in F is finite, F is called a finite 
field] otherwise it is called an infinite field. 

Definition 5. Suppose F and K are fields. If F C K, then F is called a subfield of IK, or 
equivalently K is called an extension field of F. 

We can view K as a vector space over F if we define the scalar multiplication as follows 

F X K ^ K 
(a, a) (-)■ aa 

Suppose the extension field K of F is a finite dimensional vector space over F. Let d = 
dimf{K.) be the dimension of the vector space IK over the field F, and let {ai, a2, ■ ■ ■ , a^} 
be a basis of the vector space K over F. Then any element /3 G IK can be expressed uniquely 
as a linear combination of ai, ^2, ■ ■ ■ , with coefficients in F 

f3 = aiai + 02^2 H h a^ad 

where ai, a2, ■ ■ ■ , G F. 

In field theory the dimension d of the vector space K over F is called the degree of extension. 

It is known that every finite field has order p" for some prime number p and some positive 
integer n. Such a field is called a Galois field of order and is denoted by GFlp"^). The 
following classical fact from the theory of finite fields (see [22]) will be used. 

Theorem 6. GF(p"^) C GF(p"^) if and only if ni divides n2- 

It is also known that a finite field K of order p"'^ can be constructed as a quotient ring 
-^^jj where ¥[x] is the polynomial ring over the field F of order p"" and f{x) G F[a;] is an 
irreducible polynomial of degree d over F. The field K is an extension field of degree d of 
F i.e., a vector space of dimension d over F. The equivalence classes modulo f{x) in -^j^^jy 

of the polynomials 1, x, x^, • ■ ■ , x''"^ over F form a basis of K viewed as a vector space over 
the field F. Thus, using as representative for the equivalence class of x* modulo f{x) (for 
< i < d — 1), the elements in K can be represented uniquely as 

ad-ix'^~^ + ad-2x'^~'^ H h a2X^ + ax + ao 

where Oj G F. 

Definition 7. A quadratic field extension of a field IK is a field extension of degree 2. 

In the case where a quadratic extension IK arises as the quotient ring -^^^ for an irreducible 

polynomial f{x) of the form — c with c in F, it is common to replace the equivalence 
class of X modulo f{x) with the symbol ^/c when representing the elements of K as linear 
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combinations of basis elements of the vector space K over the field F. In this notation, 
elements of IK are written as + oi-y/c, where ao, ai G F and K is usually denoted by F(y^). 
We consider the following function on finite fields. 

Definition 8. Let F be a finite field of order q and K be an extension field of F of degree d. 
The trace function on K with respect to F is the function Tr : IK —> F defined by 

Tr(a) = a + a'^ + a'^^ ^ h a^''~'. 

For any subset S* of a field E write for the set {s~^|0 7^ s G S}. The set S is 
called an inverse-closed if S^^ C S. The inversion map in finite fields is of cryptographic 
interest, especially when we study the algebraic structure of the ciphers which are based on 
substitution-permutation networks. The following theorem is a result by S. Mattarei in 

Theorem 9. Let A he a non-trivial inverse-closed additive subgroup of the finite field E = 
GF(p") . Then either A is a subfield of E or else A is the set of elements of trace zero in 
some quadratic field extension contained in E. 

Lemma 10. The number of elements of trace zero in a quadratic field extension K(a/c) of 
a subfield K C GF(p") is equal to \K\. 

Proof. The set of elements of trace zero in K{^/c) is the set 

{ao + aii/c I ao, ai G K, ao = 0} 

This set has |K| members. □ 

Theorem 11. Any non-trivial inverse- closed additive subgroup H of a finite field GF(p") 
has p^ elements for some k\n. 

Proof. By Theorem [9l there are two possibilities: if is a subfield of GF(p"), in which case 
the result follows immediately from Theorem [6l or if is the set of elements of trace zero in 
a quadratic field extension K(a/c) of a subfield IK C GF(p^). In the latter case, by Theorem 
[6] we have that |IK| = p^ for some k\n, and Lemma [TO] yields |ii| = |K| = p^. □ 

3. Cycle structure of the generalized Rijndael-like round functions 

In this section we show properties of the cycle structure of the round functions of a 
Rijndael-like 5P-network considered over the field GF(j9^), which we call generalized Rijndael- 
like functions. The notation of the generalized Rijndael-like functions and their component 
functions will be similar to the notation in [39]. One exception will be that the underlying 
field in the generalized Rijndael-like functions and their component functions is the finite 
field GF(p^) of characteristic p > 2 instead of GF(2^). 

Let m, n, r be positive integers. The symbol Mm „(GF(p'')) denotes the set of all m x n - 
matrices over GF(p^). The elements of GF{p^)"^"' are defined as matrices b G Mm,n(GF(p^)) 
with the mapping t : GF(p'')'"" — > Mm^„(GF(p^)), where t{a) = b is defined by % = ani+j, 
for < i < m,0 < j < n. First we start with the analysis of the cycle structure of the 
component functions in the generalized Rijndael-like function. 
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3.1. Analysis of the AddRoundKey-like function (cr [fcj-function). 

Definition 12. Let a [k] : Mm^„(GF(p'')) — Mm,n{GF(p^)) denote the mapping defined by 
cr [k] (a) = b ii and only if bij = aij + kij and k G Mm,n(GF(p'')) for all < i < m, < j < ?i. 

Lemma 13. Let k G Mm^n{GF{p^)) be given. 

(1) If p > 2 then a [k] is always an even permutation. 

(2) If p = 2 then a [k] is an even permutation if and only if r ■ m ■ n > 1. 

Proof. If A; = 0, 0" [k] is the identity permutation, li k ^ 0, then a [k] is composed of p-cycles. 
If p is odd then there are no cycles of even length. If p = 2 then a [k] is composed of 2^'™"~^ 
many 2- cycles. □ 

3.2. Analysis of the SubBytes-like function (A-function). 

Definition 14. Let A : Mm,n(GF(p'")) — Mm„(GF(p'')) denotes the mapping defined as a 
parallel application of m ■ n bijective S-box-mappings Ajj : GF(p'') — t- GF(p^') and defined by 
A(a) = 6 if and only if bij = Xij{aij) for all < 2 < m, < j < n. 

Each S-box mapping consists of an inversion, multiplication by a fixed A G GF(p''), and 
addition of a fixed element B G GF(p^) i.e. it is a mapping of the form Ax~^ + B where 
A,B& GF(p'') are fixed. For convenience we define this map on all of GF(p'') so that it 
maps to 5, and any nonzero x to Ax^^ + B. 

Lemma 15. Let A G GF(p'') be the fixed element used in the S-box mapping Xij. If p = 2 
then the function A is an odd permutation if and only if r > 2 and m ■ n = 1. If p > 2 then 
the function A is an odd permutation if and only if m and n are odd, and either 

(1) p =4 3, r is odd, and (jf — 1)/ |(^)| is odd, or 

(2) Either p =41 or r is even, and {p^ — 1)/ |(^)| is even. 

Proof. Analysis of inversion: We first consider a single S-box inversion 



If we enumerate the elements of GY{jf) as (0,xi, ■ ■ ■ , Xpr_i), then we can represent / in 
standard permutation form as 



Writing this in disjoint cycle form we see that / consists entirely of 1-cycles and 2-cycles. 
The 1-cycles correspond to the x for which a;^ = 1 or a; = 0, while 2-cycles correspond to the 
rest of the x's. 

Assume that p > 2. Since GF{j)'') \ {0} is a cyclic group under multiplication, it has only 
0(2) = 1 element of order 2, and thus counting the identity also, there are two elements 
X with X = x~^. Thus, there are p^ — 3 other nonzero elements, and these form 2-cycles 
m pairs, givmg a total of lip'' - 3) many 2-cycles in the disjoint cycle decomposition of 
the / function. If p = 2 then p*" — 1 is odd, and so the cyclic group GF(2^) \ {0} (under 
multiplication) has no elements of order 2 (since 2 is not a divisor of 2*^ — 1), and so there 
is only one solution to x = x~^ in this case, namely the identity. The remaining 2(2*^'"^ — 1) 
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non-zero elements contribute 2^~^ — 1 disjoint 2-cycles in the cycle decomposition of the / 
function. 

Next we analyze the inversion function as a function over Mm,n(GF(p^)). 

(a) Consider p > 2. 

When p > 2, a fixed position (i,j) S-box inversion defined on Mm,n{GF{p^)) still consists of 

1- cycles and 2-cycles. The remaining mn — 1 positions in the mxn matrices in Mm,n(GF(p'^')) 
can be filled in p^^"^-^' ways, thus producing 

2- cycles over M,„^„(GF(p^)), leading to a total of 

(1) \{v~W-'i) 

2-cycles, which is an odd number if p =4 1 or r is even. 

(b) Consider p = 2. 

Over Mm,n{GF{2^)), a fixed position (i,j) S-box inversion consists of inversion in one posi- 
tion's subfield GF(2'') and the identity on all other [mn — 1) subfields. Therefore, for every 
2-cycle over GF(2'"), there are 2''"^"'"'' many 2-cycles over GF(2'''""). The total number of 
2-cycles is 

^(2''™"~")(2"-2), 

which is even if and only if mn > 2. 

Analysis of multiplication by a fixed polynomial in GF(p^): Multiplication by a fixed poly- 
nomial (field element) A G GF(p'^') produces cycles of length \{A)\ for multiplication with 
a non-zero field element, and length one for multiplication with the zero element. Over 
M^,„(GF(p'^)), there are 

m\ 

of these cycles, each of length |(y4)| (see equation ([6])). 

(a) Consider p > 2. 

Then ([2]) is an odd number if and only if {p^ — 1)/\{A) \ is odd, in which case the cycle length 
\{A)\ is even. In this case the permutation obtained from multiplication by A is an odd 
permutation. 

(b) Consider p = 2. 

I (A) I is odd, so there are no even-length cycles. In this case the permutation obtained from 
multiplication by the polynomial A G GF{p''') is an even permutation. 

Analysis of addition of a constant: If p > 2 the addition of a constant is always an even 
permutation and if p = 2 then it is even if and only if m ■ n ■ r > 1 (Lemma [T3|) . 

From the above, we conclude that for p an odd prime the S-box mapping Ajj is odd if 
{p^ — 1)/\{A)\ is odd, or p =4 1 or r even, but not both. Thus, the function A defined as 
parallel application of all m ■ n S-box mappings Ajj is odd if and only if each S-box mapping 
Xij is odd and m and n are odd. For p = 2 the function A is odd if and only if r > 2 and 
m ■ n = 1. □ 
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3.3. Analysis of the ShiftRows-like function (/T-function). 



Definition 16. Let vr : Mm^n{GF{p^)) — )■ Mm^„(GF(p'')) denotes the mapping for which 
there is a mapping c : {0, . . . , m — 1} — )■ {0, . . . , n — 1} such that 7r(a) = 6 if and only if 

bij = ai(^j_c{t)) modn for aU < 2 < m, < j < n. 

We present our analysis of the parity of vr in two cases according to whether p is an odd 
prime number oi p = 2. 

Lemma 17. Let p > 2 be a prime. The function n is an odd permutation if, and only if, 
p =4 3, n is even, r is odd, and gcd{n, c{i)) is odd for an odd number o/i G {0, ■ ■ ■ , m — 1}. 

Proof. The function tt permutes each row of the state matrix, an element of Mm,n{GF{p^)), 
by shifting that row by a constant offset. To analyze the parity of the whole permutation, we 
consider it as the composition of m row permutations. A row permutation shifts a specific 
row by the corresponding offset, while leaving all other entries of the matrix fixed. Thus for 
a specific matrix from Mm,n{GF{p'')), such a row permutation leaves (m — l)n entries fixed. 

The parity of the function tt is then computed from the parity of each row permutation 
by considering the permutation of Mi^„(GF(p'')) corresponding to the restriction of the row 
permutation that corresponds to the particular row in question. We count the number 
of even-length cycles (note that an even length cycle is an odd permutation) in the cycle 
decomposition of this restricted permutation, and then multiply by p'^C"^-!)" to obtain the 
number of even length cycles of the row permutation over Mm,n{GF{p^)). 

We first identify the possible lengths of cycles in the cycle decomposition of this permu- 
tation, and then we count the number of cycles of each length. From this information and 
the value of the prime number p we then conclude what is the parity of the permutation it. 

Analysis of the cycle lengths: To determine the possible length of a cycle of the permutation 
that leaves all entries in the mxn matrix fixed, except for the i-th row, and which shifts the 
i-th row's n entries by c{i) units each, consider all the n-vectors whose entries are elements 
of GF(p'"). A typical such vector is of the form {xq, ■ ■ ■ where the Xj are elements of 

GF{p^). A single application of this permutation maps as follows: 

(■^0) ' ' ' ) 'Cn— l) ' ^ (-^n— c(i)+0 mod n; ' ' ' y •^n~c{i)+n—l modn) • 

And k iterations of this permutation maps as follows: 

(•^0) ' ' ' j-^n— l) ' ^ (•^fc-(n— c(i))+0 mod n; ' ' ' ; •^A;-(n— c(i))+n— 1 modn) • 

The least A; > which, for any n-vector (xq, ■ ■ ■ ,Xn-i) of elements of GF{p^) produces 

(^•^ k-{n—c{i))-\-0 modn: ' ' ' : ■^k-{n—c(i))+n—lmodn) (-^0; ' ' ' ; ■^n—l) 

gives the order of the cyclic group G generated by this row permutation. For this k we have 

k ■ {n — c{i)) = Omodn 

meaning k ■ c{i) is a common multiple of c{i) and n. By minimality of k, this is the least 
common multiple of c(i) and n, which is and thus k = " . 

^ ' ' gcd(n,c(i)) gcd(n,c[i)) 

By the Orbit-Stabilizer Theorem we see that for any n-vector (xq, ■ ■ ■ , Xn-i) we have 



Tl 

\G\ = \orbG{{xo, ■ ■ ■ ,a;„_i))| ■ IstabcHxo, ■ ■ ■ ,a;„_i))|. 



gcd{n, c{i)) 
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But the orbit of (xq, ■ ■ ■ ,Xn-i) "is" the cycle containing (xq, ■ ■ ■ in the disjoint cycle 

decomposition of this row permutation. And the length of this cycle is thus a factor of 



gcd{n,c{i)) ' 

For the factor d = 1, a fixed point is built by taking a vector (xq, ■ ■ ■ ,Xgcd{n,c(i))-i), and 
concatenating it g^^^^cii)) t™6s to form a vector of length n. There are choices of each of 
the Xi, and thus j^^j^y n- vectors with orbit length equal to 1. 

Claim 1: For each factor d > 1, there is an n- vector [xq, ■ ■ ■ , x„_i) for which the orbit length 
is d. Fix / such that d ■ f = ^^^^^^^^^^ and choose distinct elements x, y G GF{p'^). Consider 
the n- vector which consists of the concatenation of / copies of the vector (?/,■■■,?/, x) which 
has only one entry equal to x, 

(y, ■ ■ ■ , x) ^ {y, ■ ■ ■ , y, x) ^ ■ ■ ■ ^- {y, ■ ■ ■ , y, x). 

Note that the vector {y, ■ ■ ■ , y, x) has length d ■ gcd{n, c{i)). 

Consider the last x of this n-vector. After a minimum number of t applications of the 
permutation, it is in a position of an x in the n-vector. Then 

7 /7 7/ /-w /-w d ■ gcd(n, c(i)) ■ c(i) 

t = Icmid ■ gcdin, ch)), chj) = — — -—r — -—- 

^ V ' V V gcd{d- gcd{n,c{t)),c{t)) 

As d divides g^cL{nc{i)) follows that gcd{d, c{i)) divides gcd{ ^^^^^ ^^^^y Since gcd{ ^^^^^ ^^.^y 
1 we have that 

gcd(d ■ gcdin, c{i)), c{i)) = gcd{n, c{i)) 
It follows that t = d ■ c{i) applications of the permutation has this n-vector as fixed point. 
Any iteration of this d ■ c(z)-iterate has this n-vector as fixed point, and the order of this 
d ■ cfil-iterate is 



gcd{n,c{i)) gcd{n,c{i)) 



gcd{d-c{i), .,^^ ) gcd{d, 



'' gcd(n,c(i)) ' " ' gcd{n,c{i)) ' 

n 

gcd{n,c{i)) 



d 

n 



d ■ gcd{n, c{i)) 
= /• 

It follows that 

Istabciiy, ■ ■ ■ , x) (y, ■ ■ ■ , x) ^ ■ ■ ■ (y, ■ ■ ■ , y, x))| = /, 

and thus the orbit has d elements, meaning that in the cycle decomposition of the permuta- 
tion the cycle containing this vector has length d. This completes the proof of Claim 1, and 
establishes all occurring cycle lengths for this permutation. 

Analysis of the number of cycles of a given length: Fix a divisor d' of We now 

count the number of cycles of length exactly d' in the cycle decomposition of the given 
permutation. As observed before, for d' = 1 there are exactly cycles of length 

1 for this permutation. Now consider the case when d' > 1. It can be shown that if an 
n-vector (xq, ■ ■ ■ ,x„_i) has an orbit of length dividing d', then it is a concatenation of a 
number of copies of a vector {yi, ■ ■ ■ ,yd'-gcd(n,c{i)))- The total number of such vectors that 
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can be constructed using the elements of GF{p^) is pi'-'^'-gcdi'^Ai-)) _ ^^fX for d! > 1 many of these 
{d'-gcd{n, c{i))) vectors have orbits whose cardinality is a proper divisor of d' and thus should 
be excluded from the count of items producing cycles of length exactly d'. Notice that for 
d a divisor of d' the vectors producing orbits of cardinality d are obtained by concatenating 
the vector (yi, ■ ■ ■ , yd-gcd(n,c{i))) the appropriate number of times. The vectors among ones of 
the form (^i, • • ■ , Zd'.gcd{n,c{i))) to be excluded are those obtained by concatenating ^ copies 
of a vector (yi, ■ ■ ■ , yd-gcd{n,c{i))) to obtain the vector (zi, ■ ■ ■ , Zd'.gcd{n,c{i)))- Let N{d') denote 
the number of {d' ■ gcd{n,c{i))) vectors that produce cycles of length exactly d'. Thus, 
N{1) = pr-9cd{n,cii)) _ d' >lwe find that 

N{d') = fd'-9cd{n,c(i)) _ ^ ^(^) 

d\d>,di^d' 

Alternately this can be written 

^vd:-gcd{n,c{i)) _ 

d\d' 

By the Mobius inversion formula (Theorem 2 on p. 20 of [25]) we have 

(3) iV(rf') = ^jf'^-9cd{n,ciS)) ^ 

d\d' 

Note that since each orbit contains exactly d' elements, the number of disjoint cycles in the 
cycle decomposition of the permutation contributed by these vectors is The question is 

whether the number is even, or odd. Since a cycle of odd length is an even permutation, 
the answer to this question is relevant only when d' is even. Let d' be even and have prime 
factorization 

(4) d' = 2''-pl' pp, a>0. 

Since we are interested in only the parity of ^ , we seek to determine if 

(5) N{d')mod2''+^ 
is zero, or positive. 

Consider /x(^) for an even d' and a factor d of d'. By the definition of /i, the only case 
when /i(^) is non-zero is when ^ is 1, or else square free {i.e., a product of distinct prime 
numbers). In each of these cases the power of 2 that divides into d is at least 2"~^, so that 
the factor p^-^-9cd(n,c{i)) ^^^q term corresponding to the factor d is of the form v'^" where 
V is an odd number if p is an odd prime number, and even otherwise. 

Let a > 1. Then for any odd number v we have that t^^" = lmod2°'~^^, by Theorem 2' 
in Chapter 4.1 of [25]. Then the equation ([5]) reduces to 

d\d' \ ) d\di \ ) 

since for any integer > 1 we have, by Proposition 2.2.3 on p. 19 of [25], that /^l*^) ~ 0- 
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Next, consider a = 1. We need to analyze the following two cases. 
Case 1: r is even or p =4 1. Since for each odd number v we have v"^ =4 1 and since we 
have a = 1 in equation (j4]), the equation ([5]) reduces to 

^pr.d.3cd(nx«)^K j ^0rf4 = ^ 1 ■ /i ( ^ J morf 4 = 
d\d' \ / d\d' \ J 

using Proposition 2.2.3 on p. 19 of [25] as in the previous case and the fact that a = 1 
and p =4 1 or r is even. This concludes the argument that if p is a prime number such 
that p =4 1, or if r is even, then for each i the permutation shifting each item in the i-th 
row of Mm,n{GF{p'^')) by c{i) units is an even permutation. As a result the function vr is a 
composition of even permutations, and thus is an even permutation in this case. 
Case 2: r is odd and p =4 3. We will start analyzing this case by first assuming that d' > 2. 
The factors of d' are either of the form 2d where d is odd, or d where d is odd. 

Part 1: Factors of the form 2d, where d is odd. Since for each odd number v, v"^ =4 1 we 
have the following 

Y^pr-2d-gcdMr))(d! \ ^^^4 ^ Y^^r.2d-gcdMi)) .J^ mod 4 



2d\d' \ / a\ 



d\^ V / 

again using Proposition 2.2.3 on p. 19 of [25] as before. 

Part 2: Factors of the form d, where d is odd. First note that if v is an odd number such 
that V =4 3, then for any odd number r, and =4 3. Using this observation and the fact 
that a = 1 in equation (jlj), the equation ([5]) reduces to 

J2f-'-''''^''''^'^^J^]rnod4 = J]3^^<'^''=»)- ( -/i(^) )mod4 
V / d\^ 




_^9cd{n,c{i))) — \ modi = 



Here we used the fact that /i is multiplicative, so that for odd w, fi{2w) = /i(2)/i(w) = —fi{w), 
and we again used Proposition 2.2.3 on p. 19 of [25]. Taking Part 1 and Part 2 together, we 
obtain for d' > 2 that N{d') =4, 0. 



d' 

pr-l-gcd{n,c{i)) ^^2^ _|_ pr-2-gcd{n,c{i)) ^^-j^^ pr-gcd{n,c{i)) . ^pr-gcd{n,c{i)) _ 



Next, assume that d' = 2. Then — ^ reduces to 



2 



Since p is odd, the parity of this quantity depends entirely on the parity of 
which in turn depends on the parity of r ■ gcd{n,c{i)). For this we consider the parity of 
(4fc+3) -1 (^gjj^(,g p =4 3). By the Binomial Theorem (4/c + 3)"^ has the form 3™ + Ax for an 
appropriate integer x, and so (^^+^) ~^ = 3'"+4x-i ^ ^j^^ parity of this quantity depends 



2 
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on the parity of ^-y^- Applying the Binomial Theorem to 3"^ = (2 + 1)"*, we see that 3"* is 
of the form 1 + 2m + 4x for an appropriate integer x. Thus, ^-y^ is of the form ^znddi^ which 
is even if, and only if, m is even. Thus, as r is odd, we find that ^^^^ =2 if gcd{n, c{i)) is 
even and =2 1 if gcd{n,c{i)) is odd. Since for divisors > 2 of ^^^(n c{i) have ^^^^ 
even, if follows that when p =4 3 the row permutation is even if, and only if, r ■ gcd{n, c{i)) 
is even. Since the function tt is a composition of these row permutations we see that for 
p =4 3, we have that vr is an odd permutation if and only if r ■ gcd{n, c{i)) is odd for an odd 
number of i and even for the remaining values of i. □ 

Lemma 18. The function n : Af„i^„(GF(2'')) — )■ Mm,n{GF{2^)) is an odd permutation if, and 
only if, m ■ r ■ gcd{n, c(0)) = 1 and n = 2. 

Proof. We analyze separately the case when m > 1 and m = 1. 

Case 1: Let m > 1. The number 2^("*~^^" is an even number, and each cycle length of 
the permutation vr appears a multiple of 2'''^™"^)" times in its cycle decomposition. Thus in 
this case vr is an even permutation. 

Case 2: Let m = 1. Then the function vr is a single row permutation, and the factor 
2r(m-i)n gq^g^[ gQ ^j^^^ ^he parity argument when m > 1 does not apply. Once 

again apply the equations and (jS]) for p = 2. Considering a factor d' of ^^^(n c(o)) ^i^h 
factorization as in equation (j4]), we distinguish again between the cases a > 1 and a = 1. 

For a > 1 we have n > 2 and the factors 2^''^'5"=°'("''^(*)) in the nonzero terms of (IHj) have 2^*"^ 
as a divisor of d. Write d = kd ■ 2°-~^. We have 

2r-d-gcd{n,c{i)) 2^r-kii-2'^~^ ■gcd(n,c{i)) 

which for each nonnegative integer a is divisible by 2^" ^, which in turn is divisible by 2'^"'"^. 
Thus we find from equation that N{d') = /i(c?')2'"^^'^("''^(*)^ morf 2^^+^. But since a > 1 we 
must have ii{d') = 0. It follows that ^ is even in this case. 

For a = 1 we see that the only contributing terms to the parity of the i-th row permutation 
are of the form 

where d' is an even squarefree factor of ^^^(n c(o)) • ^ ' d'^^i.'^^ c(O)) > 1 then N{d') =4 and 
the factor d' of g^ij.{nc{o)) contributes an even number of cycles of even length to the cycle 
decomposition of the row permutation. We see that for m ■ r ■ gcd{n, c(0)) > 1 the function 
vr is an even permutation. 

Finally consider the case when m ■ r ■ gcd{n,c{0)) = 1. For rf' > 2 a squarefree even 
factor of g^d{n c{o)) ' have that N{d') = fi{d')2 =4 2. Suppose that n has x + 1 distinct 
prime factors, including 2. Thus, as d' > 2, we have a; > 0. The number of squarefree 
even factors of ^^^(n c(o)) l^^S^r than 2 is 2^' — 1, an odd number. Thus the squarefree even 
factors of gf,d{nc{o)) ^^^S^^ than 2 contribute an odd number of even length cycles to the cycle 
decomposition of the permutation vr. To complete the count of the number of cycles of even 
length in the cycle decomposition of ShiftRows, we must still consider ^-^y^- By equation (j3]), 

N{2) _ 2/x(l) + 2V(1) _ 2(2-1) _ ^ 
2 ~ 2 ~ 2 ~ ' 
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In conclusion we find that for even n > 2 the function vr is an even permutation. For n = 2, 
m = 1, r = 1 and c odd, the vr permutation has one 2-cycle, and two fixed points, and is 
thus an odd permutation. □ 

Lemma 19. The function it is a linear transformation of the vector space Mm,n{GF{p^)) 
over the field GF{p^). 

Proof. We use the ideas in the proof of Lemma [T71 The space Mm,n(G'F(p'')) can be viewed 
direct sum 

V = Vi®---®Vm. 

where each Vi is Mi .^(GF(p^)), the space of n x 1 row vectors over the field GF{p^). 

Now consider Vi as the space of i-th rows of members of Mm,n{GF{p^). With c(l), ■ ■ ■ , c(n) 
defined as before, a single application of the vr permutation maps the i-th row 

(•^Oi ' ' ' 1 •^n—l) ' ^ (^•^n—c{i)+0 modny ' ' ' y ■^n—c{i)+n—lmodn) 

Define from the n x n identity matrix the matrix Ci by letting this mapping act on each of 
the columns of the identity matrix as if it were the i-th row. As the reader could verify, this 
matrix Ci has the property that 

[■^O; ' ' ' 7 -^n— l] ' C*j \Xn~c{i)+0 modn^ ' ' ' ; •^n—c{i)+n—lmodn\- 

Note that Ci is a linear transformation of the vector space Mi „,(GF(p^)) over the field GF(p''). 

Now the function vr on Mm,n{GF (p^)) can be viewed as the direct sum of Ci © ■ ■ ■ © Cm, 
where for Vi + V2 + ■ ■ ■ + ^ V we have 

Ci © ■ ■ ■ © Cm{Vl H ^ Vm) = Ci ■ Vi -\ ^Cm-Vm, 

which is a linear transformation on Mm,.„(GF(p^)). □ 
3.4. Analysis of the MixColumns-like function (p-function). 

Definition 20. Let p : Mm,n{GF{p^)) — )■ Mm,n{GF{p^)) is mapping defined as the parallel 
application of n "column" mappings pj : M^, i(GF(p'')) — >■ M^ i(GF(p^)) defined by p(a) = b 
if and only if bj = Pj{aj) for all < j < n, where each pj is given by Pj{x) = C ■ x for all 
X G Mm,i(GF(p^)), where C G Mm,m{GF{p'^)) is an invertible diffusion matrix. 

Lemma 21. The function p is a linear transformation of Mm,n{GF{p^)) . 

Lemma 22. Let C G Mm,m{GF{p'^)) be an invertible diffusion matrix and n > 1. Then the 
function p is an odd permutation if and only if p, n, and o-re odd. 

Proof. Consider the function p as a composition of n permutations pj, each of which multi- 
plies the j*^ column by the invertible mx m matrix C over GF(p^) and fixes the other n — 1 
columns. Fix j G N. Then pj produces cycles of length | (C) | . Of the p''™ possible states of 
the j*^ column all but the fixed points of C, which is only the all-0 column, are members 
of cycles. Note that for any state of the j*^ column, there correspond states of the 

entire matrix. Therefore, over Mm,niGF{p^)), the permutation pj consists of 

„rm(n-l) /'„rm _ T\ 

(6) ^- ^ 

^ ' \{C)\ 
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cycles of length | (C) | . This number of cycles is odd if and only if p is odd and ^^^^yr ^"^"^ 
(in this case \ {C) \ is even). Note that for only an odd number of p^'s would their composition 
then be an odd permutation, meaning n must be odd. □ 

Note that for p = 2 the p function is odd if and only if n = 1. Additionally, for n = 1 and 
p > 2 the p function is odd if and only if ^i^^jyp is odd. 

3.5. Analysis of the generalized Rijndael-like round functions. 

Definition 23. Let m,n,r > be natural numbers and k E JC. The mapping T[k] : 
Mm,n{GF{p'^)) —J- Mm,n(GF(p'")) defined as T[k] = (r[k] o p o tt o A is called a generalized 
Rijndael-like round function. 

Corollary 24. Let p be an odd prime. For each k G /C, the generalized Rijndael-like round 
function T[k] is an odd permutation if and only if exactly one of the functions X, p, and tt 
is odd. 

Proof. By Lemma [T^ each a[k] is an even permutation. By the definition the function T[k] 
is odd if and only if each of A, p and n is odd, or else exactly one of these three functions is 
odd. By Lemmas [151 [13 122] these three functions cannot simultaneously be of the same 
parity. □ 

Corollary 25. Forn>2 the Rijndael-like round function T[k] : M^,„(GF(2^)) ^ M^,„(GF(2'^)) 
is an even permutation. 

Corollary 26. The Rijndael-Uke round function T[k] : M^,2(GF(2^)) M^,2(GF(2^)) is 
an even permutation if and only is tt is even. 

Corollary 27. The Rijndael-like round function T[k] : M„,i(GF(2'')) M^^i{GF{2'')) is 
an even permutation if and only if cr[k] is odd or A is odd. 

Note that when n = 1 and m = 2 the Rijndael-like round function T[k] is an odd permu- 
tation. 

Definition 28. Let m, n, r > be natural numbers and A; G /C. For s > 1 and 2 < i < s 
the mapping Ts[k] : M^,„(GF(p^)) ^ M„,,„(GF(p'^)) defined as 

Ts[k] = a[ks+i] o TT o A o {a[ks] opo7roA)o---o (cr[/i;2] o p o tt o A) o a[ki] 

where {ki : 1 < i < s} is the set of subkeys produced by the key k is called s-round 
generalized Rijndael-like function. 

The AES as well as the actual Rijndael [16] are special s-round Rijndael-like functions for 
m = n = A, r = 8,p = 2 and s = 10, 12, or 14 (depending on key size). 

Theorem 29. [39] Let mn > 2 and r >2 be natural numbers. Then the s-round Rijndael-like 
function 

T,[k] : M^,„(GF(20) ^ M„„„(GF(20) 

is an even permutation. 

Using corollaries [221 [2^] and [27] we have the following generalization of the theorem above. 
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Theorem 30. For n > 2 the s-round Rijndael-like function 

Ts[k] : M^,„(GF(2'-)) ^ M„,„(GF(2'^)) 

is an even permutation. 

Corollary 31. The s-round Rijndael-Uke function Ts[k] : M„,2(GF(2^)) Mm,2{GY{2'')) is 
an even permutation if and only if ir is odd and s is even or vr is even. 

Corollary 32. The s-round Rijndael-like function Ts[k] : M„,i(GF(2'')) ^ M™,i(GF(2'^)) is 
an even permutation if and only if a is odd or A is odd or else s is even. 

The proofs of the theorems below are omitted as they follow directly from the above 
theorems about the parity of the functions cr, p, A and vr. 

Theorem 33. Let p > 2 be a prime. Then the s-round generalized Rijndael-like function 
Tg [k] is an odd permutation if 

(i) s is even, and p is odd, or else 

(ii) s is odd, and either n or X is odd. 

Corollary 34. Let p > 2 be a prime. Then the set of s-round Rijndael-like functions do not 
form a group if 

(i) s is even, and p is odd, or else 

(ii) s is odd, and either n or X is odd. 

4. Groups generated by the generalized Rijndael-like round functions 

In this section we show properties of groups generated by the round functions of the 
Rijndael-like i5P-network. We provide conditions under which the group generated by the 
generalized Rijndael-like round functions based on operations of the finite field GF{p^) {p > 
2) is equal to the symmetric group or the alternating group on the state space. Some of the 
techniques that we use for this result appear in [9]. 

In our analysis of this group note that by Lemmas [12] and [5T], the functions p and vr 
appearing in T[A;] = a[k] o p o tt o X are both linear. Thus the map a = p o tt is a linear 
transformation. 

The space V = Mm,n{GF{p'')) is a direct sum 

V = Vi®---® Vmn- 

where each Vi has dimension r over GF(p). For any f G we write 

V = Vi^ VV^n 

where Vi G V^. Also, we consider the projections Projj : V Vi onto Vi given by Projj(t>) = 

Vi. 

Definition 35. We say that --f : V ^ V is a. piecewise Galois field inversion if for all v & V, 

^(v) := {viY^ © ■ ■ ■ © {VmnY""", where e^^ G {-1, 1} is such that 

-1 ifv.j^O 
1 otherwise 

Lemma 36. Let 7^ denotes the restriction of 'y to Vi and let r > 4. Then 
(1) 7(0) = and 7^ is the identity map. 
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(2) For all i G T^mn o-nd 

(a) For all V & Vi where v ^ 0, the image of the map Vi ^ Vi which maps x i— >■ 
7j(x + v) — 7i(x) has size greater than p^~'^ , and 

(b) // a subspace of Vi is invariant under 7j then it has codimension at least 3. 

Proof. The condition (1) is satisfied by construction of 7. 

Proof of (2) (a): Fix 7^ f G GF(p^) and consider the map GF(p^) — )■ GF(p'') which maps 
X ^ {x + v)~^ — x~^. The size of the image of this map is equal to the number of distinct 
bs that solve the equation {x + v)~^ — x~^ = b. If a; 7^ or —v, then {x + v){{x + v)~^) = 1 
and x{x~^) = 1, and 

{x + v)~^ — x~^ = b 
4^ x{x + + v)~^ — x~^) = x{x + v)b 

X — {x + v) = bx^ + bvx 

bx"^ + bvx + V = 
■v^ b{x'^ + vx) = —V 

Now as X ranges over GF(p'') except and — f , the quantity {x^ + vx) ranges over at least 
2-2— distinct nonzero values, whence solving for b we find at least distinct values of b. 
Therefore the map x H- (x + f — x~^ has at least > p^~'^ distinct values, fulfilling 
condition 2(a). 

Proof of (2)(b): Assume that [/ is a proper (vector-) subspace of Vi and U is closed under 
inversion. As subspace, U is an additive subgroup of Vi. Apply Theorem [9] and Lemma [TOl 
to find that either f/ is a subfield of V^j, or \U\ = \F\ for some subfield F G Vi. Since Vi is 
isomorphic to GF(p^), Theorem [6] implies that \U\ = p^ where k\r and k ^ r. Then as k is 
a proper divisor of r, /c < |. But then we have the following implications 

\U\ <pi 

dim(f/) < I because \U\ = /im(c/) 

=^ codim(f/) > I because dim(?7)+ codim(f/) = dim(Vi) = r 

^ codim([/) > 3 provided r > 5. 

This completes the proof of condition 2(b) and the theorem. □ 

Theorem 37. Let r > A and V = Mm,n{GF (p'')) . If U ^ {0} is a subspace ofV such that 
for all u E U and v E V 

(a o 7)(t) + m) — (a o 7)(f ) G U, 
where a = p o tt, then U is invariant under a and U is a sum of some of the Vi. 

Proof. We already know that a is a permutation of the set V . By Lemma [19] and Lemma 
[2T] we have that a is an invertible linear transformation of the vector space V over the field 
GY{jf). Thus, W = a~^[U] is a vector subspace of V of the same dimension as U. 
Thus, for all u E U and f G we have 

(7) -f{v + u)--f{v) ea~^[U]=W. 

Setting V = in (^^) and using the fact that 7(0) = 0, we see that for each n G f/ we 
have 7(u) G W. Hence, 7 is a function from U to W. Since U and W are finite and 
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\j[U]\ = \U\ = \W\, (1) of Lemma [36] implies that 

7[f/] = W and -f[W] = U. 

Using the hypothesis that U is not {0}, choose a.u E U and an i such that Ui = Projiiu) ^ 0. 
With i fixed from now on, consider any Vi G Vi with Vi ^ 0. We have that 7(M+f «)— 7(f j) G W 
and 7(m) G VT. Since is a vector space, — 7(m) + '~i{u + Vi) —'j{vi) G VT. Exphcitly written 
7(m + fi) and 7(u) have the form 

7(m + Vi) = 7i(Mi) © 72(^2) © ■ ■ ■ © 7i(Wi + ^^i) © ■ ■ ■ © 7mn(Mmn) 

and 

7(m) = 7i(Mi) © 72(^2) © ■ ■ ■ © 7i(Mi) © ■ ■ ■ © 7mn(Mmn)- 

Since Vi is a vector space, —'~ii{ui) + 7i(ui + fj) — '~ii{vi) G V^. Therefore, 

-7(m) + 7(m + t;^) - '^{vi) = --fi{ui) + 7i(Mi + Vi) - -fi{vi) eWnVi. 

If for each Vi & Vi this vector was the zero- vector, then the image of the map Vi h- )■ 7i(fj + 
i^i) ~ 7i(^i) from Vi to Vi would be {7j(uj)}. This would contradict (2)(a) of Lemma [33 
Thus, WnVij^{0}. 

Since U HVi = ■y(W fl Vi) and 7i(x) = implies x = 0, we have that U nVi {0}. Thus 
there is a non-zero element Ui & U (iVi. By the hypothesis that r > 4 and (2) (a) of Lemma 
[36l the map x H- 7i(x -|- Ui) — 7i(x) from l^j to Vi has image of cardinality greater than p*""^. 
But as seen in ([7]), the image of this map is also a subset of W. Thus W nVi is a. linear 
subspace of Vi and has cardinality greater then p*""^. As subspace of Vi the cardinality of 
W nVi must be factor of the cardinality p"^ of Vi and thus is a power of the prime number p. 
It follows that the cardinality of fl is at least p^~^. But then the codimension of fl l^, 
in Vi is at most 1. Similarly, the codimension of f/ fl is at most 1. Hence, the subspace 
U nW nVi of Vi has codimension of at most 2mVi. In particular, since r > 2 we have that 

unwnVi^ {0}. 

Because 'y{U) = W and •yiW) = U, we see that U nW nVi is invariant under 7. From 
Condition (2), it follows that UnWnVi = Vi. Hence, U D V. 

So if U contains an element of Vi for some i, then U D Vi. Hence, [/ is a direct sum of 
some of the Vi. Since W = 7(f/) and 7(Vi) = Vi for all i, we see that W = U. And since 
U = -f{W), it follows that U = a{U) □ 

Theorem 38. Let t = {T[k]\k G /C} be the set of all generalized Rijndael-like functions 
T[k] : M^,„(GF(p^)) ^ Mm,n{.GF{f)) (p>2) andQr = {T[k]\k G JC) be the group generated 
by the set r. Assume that the only subspaces of Mm,n(GF(p^)) that are invariant under 
a = poTT are {0} and Mm,n(GF(p^')). Then for all m, n and r > 4 the group Qr is primitive. 

Proof. Let V = „(GF(p^')). Suppose that Gr acts imprimitively on V. By Corollary 4.1 
of [H], there is a proper subspace U of V such that U {0} and such that for all m G t/ and 
veV 

(a o 7) (t) -|- m) — (a o 7)(f ) G f/. 

By Theorem [33 is a direct sum of some of the Vi and an invariant subspace of a {i.e., 
U = a{U)). But this contradicts the hypothesis that a has no non-trivial invariant subspaces. 
Therefore, G is primitive. □ 

The following theorem follows directly from Lemma [H and Theorem [33 
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Theorem 39. Let r = {T[fc]|/c G A^} be the set of all generalized Rijndael-like functions 
on Mm,n{GF{p^)) and Qr = {T[k]\k G /C) be the group generated by the set r. // {0} and 
^m,n(GF(p'')) are the only subspaces 0/ Mm,n(GF(p^)) that are invariant under a = p o n 
and Qt- contains an m-cycle with 2 < m < {n — m)\, then for all m, n > 1 and r > 4 the 
group Qr is either the alternating group or the symmetric group acting on Mm^„(GF(p'')). 

Note that the hypothesis that a's only invariant subspaces are {0} and Mm,n(GF(p'^')) 
imphes that gcd(ci, ...,Cm,n) = 1. Indeed, suppose that gcd(ci, ...,Cm,n) = x > 1. Consider 
an input a G Mm,n{p^) for a with only one non-zero entry 



1 













Note that under a, the orbit of a will have its non-zero entries at column positions of form 
l-|-/c-x<?7,, /cGN. Thus, no orbit element will have a nonzero entry in the second column. 
But then as a is linear it has an invariant subspace consisting of members of Mm,n{GF{p^)) 
that have no nonzero entries in the second column. This is a subspace different from {0} and 
Mm,n{GF{p'^)), contradicting that a's only invariant subspaces are {0} and Mm,n{GF{p^)). 

Also, note that in general the condition gcd(ci, c^, n) = 1 is not sufficient to guarantee 
that a's only invariant subspaces are {0} and „(GF(p'')). To see this, the reader is 
invited to consider the following example. 

Example. Consider the vector space M2,8(GF(7)), an irreducible polynomial f{x) = 



X' 



+ a; -|- 3 over GF(7) and ci 



it can be specified as d 
Let 



M 



= 1 and C2 = 5. Since the MixColumns-like function p is linear 
c for c,d E M2,8(GF(7)) and M a matrix of dimension 2x2. 



i.e. the generating polynomial M{x) 
Now let a G M2,8(GF(7)) 



M 



X 



4 




1 for GF(7)/(/). 



1 
^30000000 

be the input in the function a. It is easy to see that the orbit of a under alpha has 48 
elements containing a linearly independent subset of at most 15 elements. Thus the subspace 
W generated by this orbit has dimension 1 < dim{W) < 15, and as a is linear, this is an 
invariant subspace of a with dimension less than dim{M2^s{GF{7))) = 16. 

Note that the ShiftRows-like function tt for this example (in the sense of Definition 9.4.1 
of [16]) and the MixColumns-like function p (in the sense that the orbit of any non-zero 
column vector includes all the nonzero column vectors) are diffusion optimal. Thus, merely 
requiring that ShiftRows is diffusion optimal is not sufficient to guarantee that the only 
invariant subspaces of a are {0} and „(GF(p^)). 

Next we determine the group = {T[ks]T[ks_i] ■ ■ -TlkiWki G /C) generated by the set of 
all compositions of s (independently chosen) generalized Rijndael-like functions. 
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Theorem 40. Let r = {T[/i;]|A; G /C} be the set of all generalized Rijndael-like functions and 
Qr = {T[k]\k G /C) be the group generated by the set r. Then 

(cl) If Qr ~ y^rmn ^ then — ^prmn . 

(b) // Qr = Sprmn , then Q^ = Aprmn if s is even and Q^ = Sprmn if s is odd. 

Proof. Part (a) follows immediately from Lemma[T]and Theorem|21 To show Part (b) suppose 
that Qr —— Sprvnn . If s is even, then every element of Q^ must be an even permutation. Hence 
Q^ = Aprmn hj Lemma [TJ If s is odd, then Q^ must contain an odd permutation. Hence 
Q^ = Sprmn , again by Lemma [TJ □ 

5. Conclusion 

In this paper we provided conditions for which the round functions of a Rijndael-like block 
cipher deployed over a finite field GF{p'') [p > 2) do not constitute a group under functional 
composition - Theorem 133 We also provided conditions for which the round functions of a 
Rijndael-like block cipher over a finite field GF(p'') [p > 2) generate either the alternating 
group or the symmetric group on the message space - Theorem HOI 
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